Early adopters of Office 365 often fell into two camps. The first camp involved easy use cases where email was...
a quick win with relatively straightforward environments. The second camp involved complicated organizations, such as large universities, where the low Office 365 price point justified expensive synchronization software and custom options.
How complex Active Directory environments fit in with Office 365
Part two in our series
This is part one in a series about using complex forests to migrate to Office 365. Stay tuned for part two, which covers migrating via a single forest and new features that support multi-forest hybrid deployments.
A single-domain, single-forest infrastructure is often complicated, as is a single-forest multiple domain Active Directory (AD) infrastructure. Although the surrounding infrastructure, such as multiple sites and replication, can make the technicalities of a project to migrate to Office 365 more interesting, it doesn't pose much in the way of AD and hybrid Exchange issues.
Single-forest AD environments benefit from being able to use the standard Windows Azure Active Directory Sync Tool (DirSync) and a hybrid Exchange infrastructure. The DirSync tool ensures that in the source AD, accounts are copied and then kept in sync with Azure AD, the back-end directory service Office 365 uses.
Multi-forest AD and Exchange deployments come in many forms, but for most organizations, they're split into two types -- deployments using multiple account forests with Exchange installed, and deployments using an account forest and a resource forest with Exchange installed. The former type of deployment is seldom planned, since the organization ends up with multiple AD environments over time through mergers and acquisitions. The latter type of deployment is often planned.
With the right trusts in place to ensure that end users can access resources, the right configuration to share email address domains and software to synchronize Global Address Lists, these environments are manageable. But they present an issue when a company migrates to Office 365: DirSync doesn't support multi-forest scenarios or understand how to merge accounts from different forests.
Challenges for integrating or migrating multiple AD forests
Office 365 is a collection of services, and while most organizations look to migrate some or all of their email to the service, it's increasingly common to use services such as Lync Online or OneDrive for Business. Regardless, identity remains key.
This means an organization will want to make sure that at a minimum, end users can log in with their AD credentials. DirSync installed in one multiple forest won't achieve this on its own. The challenge is providing an identity in Office 365 for corresponding end users to log into and to use when migrating the corresponding on-premises mailbox.
When it comes to multiple forests, additional services such as AutoDiscover are important. The reason for this is that there has to be an on-premises point that acts as AutoDiscover for a shared domain name in a hybrid scenario, and it has to be able to redirect end users to the correct AutoDiscover endpoint. That means good data in each AD forest, especially in the forest AutoDiscover points at.
About the author:
Steve Goodman is an Exchange MVP and works as a technical architect for one of the U.K.'s leading Microsoft Gold partners. Goodman has worked extensively with Microsoft Exchange since version 5.5 and with Office 365 since its origins in Exchange Labs and Live@EDU.